Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

VoIP – vulnerabilities and attacks

15,754 views

Published on

null Mumbai July-August 2012 Meet

Published in: Education, Technology, Business
  • Be the first to comment

VoIP – vulnerabilities and attacks

  1. 1. VoIP – Vulnerabilities and Attacks Presented by - push
  2. 2. Agenda • Introduction to VoIP – VoIP Architecture – VoIP Components – VoIP Protocols • A PenTester Perspective – Attack Vectors – Scanning – Attacks – Tools of Trade – Countermeasures and Securityhttp://null.co.in/ http://nullcon.net/
  3. 3. Remember Something?http://null.co.in/ http://nullcon.net/
  4. 4. VoIP • IP Telephony • Voice over Internet Protocol • Subset of IP Telephony • Transmission of “Voice” over Packet-Switched Network. • Is it only Voice??? – Data, Audio, Videohttp://null.co.in/ http://nullcon.net/
  5. 5. VoIP • Voice Analog Signals are converted to digital bits - “Sampled” and transmitted in packets Analog Voice Signals 101010101010 1101101101 Analog Voice 1010101010101101101 101010101010110110 Signals 101 1101 101010101010 1101101101 Internet 1010101010101101101 101010101010110110 101 1101http://null.co.in/ http://nullcon.net/
  6. 6. VoIP Architecture Ordinary Phone  ATA  Ethernet  Router  Internethttp://null.co.in/ http://nullcon.net/
  7. 7. VoIP Architecture IP Phone  Ethernet  IP-PBX  Router  Internet Internet IP Phone IP - PBX Modem / Routerhttp://null.co.in/ http://nullcon.net/
  8. 8. VoIP Architecture Softphone Phone  Ethernet  Router  Internet Internethttp://null.co.in/ http://nullcon.net/
  9. 9. VoIP Architecturehttp://null.co.in/ http://nullcon.net/
  10. 10. VoIP Components • User Agents (devices) • Redirect Servers • Media gateways • Registrar Servers • Signaling gateways • Location Servers • Network management system • Gatekeepers • Billing systems • Proxy Servers GW  Gateway MG  Media Gateway GK  Gatekeeper MGC  Media Gateway Controller NMS  Network Management System IVR  Interactive Voice Responsehttp://null.co.in/ http://nullcon.net/
  11. 11. VoIP Protocols • Vendor Proprietary • Signaling Protocols • Media Protocolshttp://null.co.in/ http://nullcon.net/
  12. 12. VoIP ProtocolsSIP Session Initiation Protocol SAP  Session Announcement ProtocolSGCP  Simple Gateway Control Protocol MIME  Multipurpose Internet MailIPDC  Internet Protocol device Control Extensions – Set of StandardsRTP  Real Time Transmission Protocol IAX  Inter-Asterisk eXchangeSRTP  Secure Real Time Transmission Protocol Megaco H.248  Gateway Control ProtocolRTCP  RTP Control Protocol RVP over IP  Remote Voice Protocol over IPSRTCP  Secure RTP Control Protocol RTSP  Real Time Streaming ProtocolMGCP  Media Gateway Control Protocol SCCP  Skinny Client Control Protocol (Cisco).SDP  Session Description Protocol UNISTIM  Unified Network Stimulus (Nortel).http://null.co.in/ http://nullcon.net/
  13. 13. VoIP Protocols - SIPhttp://null.co.in/ http://nullcon.net/
  14. 14. VoIP Protocols – H.323http://null.co.in/ http://nullcon.net/
  15. 15. A PenTester Perspectivehttp://null.co.in/ http://nullcon.net/
  16. 16. VoIP – Attack Vectors • Vulnerabilities of Both Data and Telephone Network • CIA Triadhttp://null.co.in/ http://nullcon.net/
  17. 17. VoIP - Scanning • Scanning a network for VoIP enabled systems / devices. • Tools for Scanning and Enumeration : – Nmap  port scanner – Smap  sip scanner. Finds SIP Enabled Servers – Svmap  sip scanner – Svwar  sip extension enumerator – Iwar VoIP Enabled modem Dialer – Metasploit Modules : • H.323 version scanner • SIP enumerator  SIP Username enumerator(UDP) • SIP enumerator_tcp  SIP Username Enumerator(TCP) • Options  SIP scanner(TCP) • Options_tcp  SIP scanner(UDP)http://null.co.in/ http://nullcon.net/
  18. 18. VoIP – Scanning Demo • Nmap scanhttp://null.co.in/ http://nullcon.net/
  19. 19. VoIP – Common Ports Protocol TCP Port UDP Port SIP 5060 5060 SIP-TLS 5061 5061 IAX2 - 4569 http – web based 80 / 8080 - management console tftp - 69 RTP - 5004 RTCP - 5005 IAX1 - 5036 SCCP 2000 SCCPS 2443 H.323 1720http://null.co.in/ http://nullcon.net/
  20. 20. VoIP – Scanning Demo • Smap • svmaphttp://null.co.in/ http://nullcon.net/
  21. 21. VoIP – Scanning Demo • Metasploit Scannerhttp://null.co.in/ http://nullcon.net/
  22. 22. VoIP - Attacks • Identity Spoofing • Conversation Eavesdropping / Sniffing • Password Cracking • Man-In-The-Middle • SIP-Bye DoS • SIP Bombing • RTP Insertion Attacks • Web Based Management Console Hacks • Fuzzing • Default Passwordshttp://null.co.in/ http://nullcon.net/
  23. 23. VoIP – Attacks Demo • Identity – Caller ID Spoofing – Tools Used : • Metasploit- SIP_INVITE_Spoof • VoIP Fuzzer – Protos -Siphttp://null.co.in/ http://nullcon.net/
  24. 24. VoIP – Attacks Demo • Conversation Eavesdropping – Tools used : • Cain & Abel • Ettercap • Arpspoof • Wiresharkhttp://null.co.in/ http://nullcon.net/
  25. 25. VoIP – Attacks Demo • Man-In-The-Middle – Tools Used : • Wireshark • Arpspoof / ettercap • RTPInject • RTPmixsoundhttp://null.co.in/ http://nullcon.net/
  26. 26. VoIP – Attacks Demo • Password Cracking – Tools Used : • SIPDump • SIPCrack • svcrackhttp://null.co.in/ http://nullcon.net/
  27. 27. VoIP - Attacks Some Default Passwords for VoIP Devices and Consoles: Device / Console Username Password Uniden UIP1868P VoIP - admin phone Web Interface Hitachi IP5000 VOIP WIFI - 0000 Phone 1.5.6 Vonage VoIP Telephone user user Adapter Grandstream Phones - Web Administrator /admin admin Adimistrator Interface user user •Asterisk Manager User Accounts are configured in /etc/asterisk/manager.confhttp://null.co.in/ http://nullcon.net/
  28. 28. VoIP – Audit & PenTest Tools • UCSniff • MetaSploit Modules : – Auxillary Modules • VoIPHopper • SIP enumerator  SIP Username enumerator • SIP enumerator_tcp  SIP USERNAME • Vomit Enumerator • VoIPong • Options  SIP scanner • Options_tcp  SIP scanner • IAX Flood • Asterisk_login  Asterisk Manager Login Utility – Exploits • InviteFlood • Aol_icq_downloadagent  AOL ICQ Arbitary File Downlowd • RTPFlood • Aim_triton_cseq AIM triton 1.0.4 CSeq Buffer Overflow • IAXFlood • Sipxezphone_cseq sipxezphone 0.35a Cseq Filed Overflow • BYE-TearDown • Sipxphone_cseq  sipxPhone 2.6.0.27 Cseq Buffer Overflowhttp://null.co.in/ http://nullcon.net/
  29. 29. Countermeasures & Security • Separate Infrasrtucture • Do not integrate Data and VoIP Networks • VoIP-aware Firewalls, • Secure Protocols like SRTP, • Session Encryption using SIP/TLS, SCCP/TLS • Harden Network Security – IDS – IPS - NIPShttp://null.co.in/ http://nullcon.net/
  30. 30. Thank You See you all @ nullcon - Delhihttp://null.co.in/ http://nullcon.net/

×